Phishing Scam Prompts Tech Firm to Go Fishing for Coverage (11th Circuit)
When a tech company falls victim to a “phishing” scam, and what is the standard for whether that company is entitled to cyber coverage? Of course, that depends on the type of coverage purchased. But in this emerging field, Court guidance on coverage issues like this is relatively scarce.
In PSG LLC v. Ironshore, a technology consulting firm, Principle Solutions Group LLC fell victim to what circuit Judge Ronald Gilan referred to as a “sophisticated” email phishing scam when the company’s controller erroneously executed a wire transfer in the amount of $1.7 million after she had followed wire instructions received from the purported email domains of a company executive, and outside counsel. (Slightly more sophisticated than the Nigerian prince scam, no?)
At issue before the 11th Circuit Court of Appeals was whether PSG should be covered under the fraudulent instruction coverage clause of their commercial-crime policy, issued by Ironshore Indemnity Inc., even though the company’s controller had to override a fraud-prevention hold to effectuate the wire transfer.
The Court upheld summary judgment for PSG under the fraudulent instruction coverage. The Court found that the set of emails the controller received within minutes of each other in July 2016 was purportedly from the company’s managing director and the other from an attorney. Moreover, the Court did not believe that Wells Fargo’s fraud prevention service red flag was enough to break the chain of causation because the controller’s action was the foreseeable result of a sophisticated phishing scheme.
Ironshore argued that there was never a fraudulent instruction as defined by the policy since the first email was essentially internal, having been sent from upper management, while the subsequent email came from outside counsel, thus falling outside the scope of the policy language. The Majority disagreed with Ironshore’s arguments, and instead applied a broad interpretation of Ironshore’s policy, and incidentally, overlooked the significance of internal corporate fraud -prevention policies. This was, we think, a creative argument put forth by Ironshore. But we imagine that at oral argument, PSG made appealed to common sense, and public policy, by arguing “If fraudulent instruction coverage does not cover a phishing scam like this one, what does it cover?” Interesting read.
Thanks to James Papadakis for his contribution to this post. For more information about this case, or Wade Clark Mulcahy’s cyber-liability practice, please email Brian Gibbons.